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L REAL PARTY IN INTEREST 

The real party in interest is Hewlett-Packard Development Company, L.P. 
(HPDC), a Texas Limited Partnership, having its principal place of business in 
Houston, Texas. HPDC is a wholly owned affiliate of Hewlett-Packard Company 
(HPC). The Assignment from the inventors to Peregrine Systems, Inc., was 
recorded on December 12, 2005, at Reel/Frame 017328/0356. The Merger 
document from Peregrine Systems, Inc. to HPC was recorded on May 31, 2006, 
at Reel/Frame 017703/0668. The Assignment from HPC to HPDC was recorded 
on July 10, 2006, at Reel/Frame 017905/0174. 



348890.01/2162.86800 



Page 4 of 27 



HP PDNO 200601202-5 



Appl. No. 10/506,815 

Appeal Brief dated June 21, 2010 

Reply to Office Action of January 21, 2010 



11. RELATED APPEALS AND INTERFERENCES 

Appellants are unaware of any related appeals or interferences. 
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III. STATUS OF THE CLAIMS 

Originally filed claims: 1 -1 9. 
Claim cancellations: None 
Added claim: 20. 
Presently pending claims: 1-20. 
Presently appealed claims: 1-20. 
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IV. STATUS OF THE AMENDMENTS 

No claims were amended after the Office Action dated January 21, 2010. 
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V- SUMMARY OF THE CLAIMED SUBJECT MATTER 

This section provides a concise explanation of tine subject matter defined 
in eacii of the independent claims, referring to the specification by page and line 
number or to the drawings by reference characters as required by 37C.F.R. 
§ 41 .37(c)(1)(v). Each element of the claims is identified with a corresponding 
reference to the specification or drawings where applicable. The specification 
references are made to the application as filed by Appellants. Note that the 
citation to passages in the specification or drawings for each claim element does 
not imply that the limitations from the specification and drawings should be read 
into the corresponding claim element. Also note that these specific references 
are not exclusive; there may be additional support for the subject matter 
elsewhere in the specification and drawings. 

1. A data network management system for identifying unauthorized 
access to a data network service,^ provided at a service node in a data network,^ 
by a user node in said data network,^ said service node having an agent"^ and 
having means for maintaining a user access list,^ said user access list having at 
least one data network address corresponding to at least one user node in said 
data network,^ said system comprising: 

a data communication means for periodically polling said agent at said 
service node and for retrieving a user access list from said agent, said user 
access list specifying which users have accessed said service node/ 



^ Fig. 1 (110). Disclosure p. 10, lines 1-4 of paragraph [0029]. 

^ Fig. 1 (230, 260, 300). Disclosure p. 13, lines 2-4 of paragraph [0035]. 

^ Fig. 1 (200, 210, 240, 250, 270, 280). Disclosure p. 12, lines 16-20 of 
paragraph [0032]. 

Fig. 1 (230, 260, 300). Disclosure p. 12-13, lines 4-13 of paragraph [0034]. 
^ Fig. 1 (230, 260, 300). Disclosure p. 14, lines 12-15 of paragraph [0036]. 
^ Fig. 1 (230, 260, 300). Disclosure p. 14, lines 12-15 of paragraph [0036]. 
^ Fig. 1 (110). Disclosure p. 14, lines 3-11 of paragraph [0037]. 
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a database for maintaining an authorized access list for said service node, 
said authorized access list specifying which users are authorized to access said 
service node;^ and 

a data processing means for detecting unauthorized access to said service 
node by comparing said user access list to said authorized access list and for 
updating said authorized access list based on the user access list retrieved from 
said agent.^ 

5. A method for identifying unauthorized access to a data network 
service, provided at a service node in a data network, by a user node in said 
data network,^ ^ said service node having an agent^^ and having means for 
maintaining a user access list,^^ said user access list having at least one data 
network address corresponding to at least one user node in said data network,^"^ 
said method comprising: 

a) periodically polling an agent and retrieving said user access list, for 
a given period of time, from said service node in said data network;^^ 

b) comparing said user access list to an authorized access list;^^ 

c) determining if an access to said service node was unauthorized 
based on comparing said user access list to the authorized access list;^^ and 



® Fig. 1 (230, 260, 300). Disclosure p. 14, lines 12-15 of paragraph [0036]. 
® Fig. 1 (110). Disclosure p. 14-15, lines 1-15 of paragraph [0038]. 
Fig. 1 (230, 260, 300). Disclosure p. 13, lines 2-4 of paragraph [0035]. 

Fig. 1 (200, 210, 240, 250, 270, 280). Disclosure p. 12, lines 16-20 of 

paragraph [0032]. 

Fig. 1 (230, 260, 300). Disclosure p. 12-13, lines 4-13 of paragraph [0034]. 
Fig. 1 (230, 260, 300). Disclosure p. 14, lines 12-15 of paragraph [0036]. 
'"^ Fig. 1 (230, 260, 300). Disclosure p. 14, lines 12-15 of paragraph [0036]. 
Fig. 3 (470, 480). Disclosure p. 17, lines 5-10 and 15-17 of paragraph [0043]. 
Fig. 3 (490). Disclosure p. 18, lines 17-19 of paragraph [0043]. 
Fig. 3 (500). Disclosure p. 18, lines 19-21 of paragraph [0043]. 
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d) if said access was not authorized, initiating a notification process;^^ 
wherein said user access list identifies a plurality of accesses to said 
service node.^^ 



13. A computer-readable medium for identifying unauthorized access to 
a data network service, provided at a service node in a data network,^° by a user 
node in said data network,^^ said service node having an agent^^ and having 
means for maintaining a user access list,^^ said user access list having at least 
one data network address corresponding to at least one user node in said data 
network,^'* and said medium having stored thereon, computer-readable and 
computer-executable instructions which, when executed by a processor, cause 
said processor to perform steps comprising: 

a) periodically polling an agent and retrieving said user access list, for 
a given period of time, from said service node in a data network;^^ 

b) comparing said user access list to an authorized access list;^^ 

c) determining if an access to said data network service was 
authorized based on said comparison step b);^'' 

d) if determined that said access was unauthorized, initiating a 
notification process.^® 



Fig. 3 (520). Disclosure p. 18, lines 23-28 of paragraph [0043]. 
^® Fig. 1 (230, 260, 300). Disclosure p. 14, lines 12-15 of paragraph [0036]. 
Fig. 1 (230, 260, 300). Disclosure p. 13, lines 2-4 of paragraph [0035]. 

Fig. 1 (200, 210, 240, 250, 270, 280). Disclosure p. 12, lines 16-20 of 

paragraph [0032]. 

Fig. 1 (230, 260, 300). Disclosure p. 12-13, lines 4-13 of paragraph [0034]. 
Fig. 1 (230, 260, 300). Disclosure p. 14, lines 12-15 of paragraph [0036]. 
Fig. 1 (230, 260, 300). Disclosure p. 14, lines 12-15 of paragraph [0036]. 
Fig. 3 (470, 480). Disclosure p. 17, lines 5-10 and 15-17 of paragraph [0043]. 
Fig. 3 (490). Disclosure p. 18, lines 17-19 of paragraph [0043]. 
Fig. 3 (500). Disclosure p. 18, lines 19-21 of paragraph [0043]. 
Fig. 3 (520). Disclosure p. 18, lines 23-28 of paragraph [0043]. 
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18. A computer for use in a data network for identifying unauthorized 
access to a data network service,^^ provided at a service node in a data 
network, by a user node in said data network,^^ said service node having an 
agene^ and having means for maintaining a user access list,^^ said user access 
list having at least one data network address corresponding to at least one user 
node in said data network;^"^ said computer comprising: 

means for storing an authorized access list for said service node, said 
authorized access list specifying which users are authorized to access said 
service node;^^ 

a central processing unit;^^ 

data communication means for periodically polling said agent at said 
service node and retrieving a user access list from said agent, said user access 
list specifying which users have accessed said service node;^'' and 

data processing means for comparing said retrieved user access list to 
said authorized access list and for updating said authorized access list based on 
the user access list retrieved from said agent.^^ 



Fig. 1 (110). Disclosure p. 10, lines 1-4 of paragraph [0029]. 

Fig. 1 (230, 260, 300). Disclosure p. 13, lines 2-4 of paragraph [0035]. 

Fig. 1 (200, 210, 240, 250, 270, 280). Disclosure p. 12, lines 16-20 of 

paragraph [0032]. 

Fig. 1 (230, 260, 300). Disclosure p. 12-13, lines 4-13 of paragraph [0034]. 
Fig. 1 (230, 260, 300). Disclosure end of p. 14, lines 12-15 of paragraph [0036]. 
^ Fig. 1 (230, 260, 300). Disclosure end of p. 14, lines 12-15 of paragraph [0036]. 
Fig. 1 (230, 260, 300). Disclosure end of p. 14, lines 12-15 of paragraph [0036]. 
Fig. 1 (110). Disclosure p. 9, lines 10-11 of paragraph [0021]. 
Fig. 1 (110). Disclosure p. 14, lines 3-1 1 of paragraph [0037]. 
Fig. 1 (110). p. 14-15, lines 1-15 of paragraph [0038]. 
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VI. GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

Whether claims 1, 4-11, 13-16 and 18-20 are anticipated by Ginzboorg 
et al. (U.S. Pat. No. 6,240,091). 

Whether claims 2-3, 12 and 17 are obvious over Ginzboorg in view of Noy 
et al. (U.S. Pat. No. 6,539,540). 
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VII. ARGUMENT 

A. Anticipation rejection of claims 1, 4-11, 13-16 and 18-20 
over Ginzboorg 

1. Claims 1, 4 and 18-20 

a) The art fails to teach or suggest "a data 
network management system for identifying 
unauthorized access to a data network 
service..." 

Independent claim 1 recites, in part, "a data network management system 
for identifying unauthorized access to a data network service... ." Independent 
claim 18 recites a similar limitation. The Examiner cites Ginzboorg at column 15, 
lines 40-44 as allegedly teaching the quoted limitation. However, the location 
cited by examiner fails to teach or suggest the quoted limitation. 

Ginzboorg relates to the implementation of an access service in a 
telecommunications network, comprising an access network, a network that 
provides services, and user-operated terminals that are connected to the access 
network (Ginzboorg Abstract). The user terminal may generate charging 
messages, which if verified, give the terminal access to the network providing the 
services (Ginzboorg Abstract). Ginzboorg further discloses updating an access 
list when "the charging server sends the addresses of the terminals which 
currently pay for the access to the network providing the services..." and that 
when a "user finishes using the connection, the charging server sends a CANCEL 
message to the access server[, causing] the access server [to update] the access 
list... so that the user in question is removed from the list during the update." 
(Ginzboorg col. 10, L 62-col. 11, t. 4). Thus, Ginzboorg's access list is a list of 
addresses that have paid for access to the network providing services. 

Furthermore, at the location cited by the Examiner, Ginzboorg discloses 
that "paying customers have access to the network providing the services and the 
non-paying customers do not have access." In other words, non-paying or 
unauthorized customers "do not have access [to the network providing the 
services]." Since unauthorized access is expressly prohibited by Ginzboorg, 
Ginzboorg cannot disclose any system "for identifying unauthorized access..." as 
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required by the quoted limitation. None of the other art of record satisfies the 

deficiencies of Ginzboorg. For at least this reason, Appellants respectfully 

submit that the Examiner erred in rejecting independent claims 1 and 18 and all 

claims that depend thereon. 

b) The art fails to teach or suggest ''a data 
communication means for periodically 
polling said agent at said service node and 
for retrieving a user access list from said 
agent, said user access list specifying which 
users have accessed said service node..." 

Additionally, independent claim 1 recites, in part, "a data communication 
means for periodically polling said agent at said service node and for retrieving a 
user access list from said agent, said user access list specifying which users 
have accessed said service node... ." Independent claim 18 recites a similar 
limitation. The Examiner cites Ginzboorg at column 15, lines 44-50 as allegedly 
teaching the quoted limitation. However, the location cited by examiner fails to 
teach or suggest the quoted limitation. 

At the location cited by the Examiner, Ginzboorg discloses that sometimes 
"the router prevents the paying customers from accessing the network... or 
allows access for non-paying customers... [t]o correct such a situation the access 
server polls the router [to get the access list] and the charging server [to get the 
IP addresses of paying customers]." (Ginzboorg col. 15, lines 44-52). However, 
as discussed above, Ginzboorg's access list is a list of addresses that are 
permitted to access the network providing services, and is not a list of all 
accesses to a node or the network. Thus, the access list of G fails to teach or 
suggest an "access list specifying which users have accessed said service 
node..." as required by the quoted limitation. Furthermore, a list of IP 
addresses of paying customers "at the moment in question" (Ginzboorg col. 15, 
line 52) fails to teach or suggest an "access list specifying which users have 
accessed said service node... ." None of the other prior art of record satisfies 
the deficiencies of Ginzboorg. For at least this additional reason. Appellants 
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respectfully submit that the Examiner erred in rejecting independent claims 1 

and 18 and all claims that depend thereon. 

c) The art fails to teach or suggest "a data 
processing means for detecting 
unauthorized access to said service node by 
comparing said user access list to said 
authorized access list..." 

Additionally, independent claim 1 recites, in part, "a data processing 

means for detecting unauthorized access to said service node by 

comparing said user access list to said authorized access list... 

Independent claim 18 recites a similar limitation. The Examiner cites Ginzboorg 
at column 15, lines 50-52 as allegedly teaching the quoted limitation. However, 
the location cited by the Examiner fails to teach or suggest the quoted limitation. 

At the location cited by the Examiner, Ginzboorg discloses comparing a list 
of users allowed to access the network with a list of customers who pay "at the 
moment in question for access to the network." (Ginzboorg col. 15, lines 50-52). 
Additionally, Ginzboorg discloses that the access server adds paying customers 
that are not included to the access list and removes included addresses that are 
not paying customers (Ginzboorg col. 15, lines 52-57). 

Although Ginzboorg discloses a comparison of lists, it is for the purpose 
of updating the access list to conform to the list of paying customers at the 
charging server. Ginzboorg's access list does not ever keep track of accesses 
to the router or the network, and so there is no way to detect whether there has 
been an unauthorized access. Ginzboorg is merely capable of determining that 
an unauthorized access was possible because of the improper inclusion of an 
address on the access list. Thus, Ginzboorg cannot detect an unauthorized 
access by comparing the two lists. None of the other art of record satisfies this 
deficiency of Ginzboorg. For at least this additional reason. Appellants 
respectfully submit that the Examiner erred in rejecting independent claims 1 
and 18 and all claims that depend thereon. 
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d) The art fails to teach or suggest "a data 

processing means... for updating said 

authorized access list based on the user 
access list retrieved from said agent" 

Additionally, independent claim 1 recites, in part, "a data processing 
means... for updating said authorized access list based on the user access list 
retrieved from said agent." Independent claim 18 recites a similar limitation. The 
Examiner cites Ginzboorg at column 15, lines 50-52 as allegedly teaching the 
quoted limitation and cites Ginzboorg at column 18, lines 14-24, in reference to 
claims 6 and 14, as teaching a similar limitation. However, the locations cited by 
the Examiner fail to teach or suggest the quoted limitation. 

At the location cited by the Examiner, Ginzboorg discloses 
"synchronization of... payments and access rights by comparing... [a] list of 
open connections to addresses of paying customers" and correcting any 
detected conflicts (Ginzboorg col. 18, lines 14-24). Thus, Ginzboorg discloses 
updating an access list to conform to a list of addresses of paying customers. 
However, Appellants' quoted limitation requires "updating said authorized 
access list based on the user access list retrieved from said agent." 
Appellants' "user access list" is a list of users that have accessed a particular 
node. Ginzboorg's disclosure of updating an access list based on a list of 
paying customers fails to teach or suggest updating an access list based on a 
list of users that have accessed a particular node. None of the other art of 
record satisfies this deficiency of Ginzboorg. For at least this additional reason. 
Appellants respectfully submit that the Examiner erred in rejecting claims 1 and 
18 and all claims that depend thereon. 

Based on the foregoing. Appellants respectfully request that the rejections 
of claims 1 and 18 and all claims that depend thereon be reversed. 
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2. Claims 5-11 and 13-16 

a) The art fails to teach or suggest "[a] method 
for identifying unauthorized access to a data 
network service..." 

Independent claim 5 recites, in part, "[a] method for identifying 

unautlnorized access to a data network service..." Independent claim 13 recites a 

similar limitation. The Examiner rejects the quoted limitation similarly to claims 1 

and 18, and so for the similar portions. Appellants incorporate those remarks 

made with respect to claims 1 and 18. For at least this reason. Appellants 

respectfully submit that the Examiner erred in rejecting independent claims 5 

and 13 and all claims that depend thereon. 

b) The art fails to teach or suggest 
"determining if an access to said service 
node was unauthorized based on comparing 
said user access list to the authorized 
access list..." 

Additionally, independent claim 5 recites, in part, "determining if an access 
to said service node was unauthorized based on comparing said user access list 
to the authorized access list... ." Independent claim 13 recites a similar limitation. 
The Examiner cites Ginzboorg at column 15, lines 50-52 as allegedly teaching the 
quoted limitation. However, the location cited by examiner fails to teach or 
suggest the quoted limitation. 

At the location cited by the Examiner, Ginzboorg discloses comparing a list 
of users allowed to access the network with a list of customers who pay "at the 
moment in question for access to the network." (Ginzboorg col. 15, lines 50-52). 
Additionally, Ginzboorg discloses that the access server adds paying customers 
that are not included to the access list and removes included addresses that are 
not paying customers (Ginzboorg col. 15, lines 52-57). 

Although Ginzboorg discloses a comparison of lists, it is for the purpose 
of updating the access list to conform to the list of paying customers at the 
charging server. Ginzboorg's access list does not ever keep track of accesses 
to the router or the network, and so there is no way to detect whether there has 
been an unauthorized access. Ginzboorg is merely capable of determining that 
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an unauthorized access was possible because of the improper inclusion of an 
address on the access list. Thus, Ginzboorg cannot "deternnine[e] if an access 
to said service node was unauthorized based on connparing" its two lists. None 
of the other art of record satisfies this deficiency of Ginzboorg. For at least this 
additional reason, Appellants respectfully submit that the Examiner erred in 
rejecting independent claims 5 and 13 and all claims that depend thereon. 

Based on the foregoing, Appellants respectfully request that the rejections 
of claims 5 and 13 and all claims that depend thereon be reversed. 
3. Claims 6 and 14 

Dependent claim 6 recites, in part, "updating said authorized access list 
based on said user access list retrieved from said service node." Dependent 
claim 14 recites a similar limitation. Thus, Appellants respectfully submit that 
the Examiner erred in rejecting claims 6 and 14 for at least the reasons given 
above with respect to claims 1 and 18. 

Based on the foregoing. Appellants respectfully request that the rejections 
of claims 6 and 14 be reversed. 

B. Obviousness rejection of claims 2-3, 12 and 17 over 
Ginzboorg in view of Noy 

1. Claims 2-3, 12 and 17 

Claims 2-3, 12 and 17 each depend on independent claim 1, 5 or 13 and 
are thus allowable over Ginzboorg for the reasons given above. Furthermore, 
Noy fails to satisfy the above deficiencies of Ginzboorg. Thus, Appellants 
respectfully submit that the Examiner erred in rejecting claims 2-3, 12 and 17 for 
at least the reasons given above with respect to claims 1, 5 and 13. 

Based on the foregoing. Appellants respectfully request that the rejections 
of claims 2-3, 12 and 17 be reversed. 

C. Conclusion 

For the reasons stated above. Appellants respectfully submit that the 
Examiner erred in rejecting all pending claims. It is believed that no extensions 
of time or fees are required, beyond those that may otherwise be provided for in 
documents accompanying this paper. However, in the event that additional 
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extensions of time are necessary to allow consideration of tliis paper, sucli 
extensions are hereby petitioned under 37 C.F.R. § 1.136(a), and any fees 
required (including fees for net addition of claims) are hereby authorized to be 
charged to Hewlett-Packard Development Company's Deposit Account No. 08- 
2025. 

Respectfully submitted, 
/Jonathan M. Harris/ 



Jonathan M. Harris 
PTOReg. No. 44,144 
CONLEY ROSE, P.C. 
(713) 238-8000 (Phone) 
(713) 238-8008 (Fax) 
ATTORNEY FOR APPELLANTS 

HEWLETT-PACKARD COMPANY 
Intellectual Property Administration 
Legal Dept., M/S 35 
3404 E. Harmony Road 
Fort Collins, CO 80528-9599 
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VIII. CLAIMS APPENDIX 

1 . A data network management system for identifying unauthorized access to 
a data network service, provided at a service node in a data network, by a user 
node in said data network, said service node having an agent and having means 
for maintaining a user access list, said user access list having at least one data 
network address corresponding to at least one user node in said data network, 
said system comprising: 

a data communication means for periodically polling said agent at said 
service node and for retrieving a user access list from said agent, said user 
access list specifying which users have accessed said service node; 

a database for maintaining an authorized access list for said service node, 
said authorized access list specifying which users are authorized to access said 
service node; and 

a data processing means for detecting unauthorized access to said service 
node by comparing said user access list to said authorized access list and for 
updating said authorized access list based on the user access list retrieved from 
said agent. 

2. The data network management system as defined in claim 1 , wherein said 
agent is a Simple Network Management Protocol agent. 
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3. The data network management system as defined in claim 1 , wherein said 
data communication means is a Simple Network Management Protocol 
communication means. 

4. The data network management system as defined in claim 1, further 
including means for installing said agent at said service node, said agent having 
means to communicate with said data communication means. 

5. A method for identifying unauthorized access to a data network service, 
provided at a service node in a data network, by a user node in said data 
network, said service node having an agent and having means for maintaining a 
user access list, said user access list having at least one data network address 
corresponding to at least one user node in said data network, said method 
comprising: 

a) periodically polling an agent and retrieving said user access list, for 
a given period of time, from said service node in said data network; 

b) comparing said user access list to an authorized access list; 

c) determining if an access to said service node was unauthorized 
based on comparing said user access list to the authorized access list; and 

d) if said access was not authorized, initiating a notification process; 
wherein said user access list identifies a plurality of accesses to said 

service node. 
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6. The method as defined in claim 5, further including updating said 
authorized access list based on said user access list retrieved from said service 
node. 

7. The method as defined in claim 5, further including installing said agent at 
said user node, prior to periodically polling and retrieving said user access list. 

8. The method as defined in claim 5, further including selecting said service 
node for identification based on a predetermined criteria, prior to retrieving said 
user access list. 

9. The method as defined in claim 5, wherein said notification process 
comprises notifying a Network Operations Console. 

10. The method as defined in claim 5, wherein a) through c) are repeated, and 
wherein said user node is selected from one of a plurality of user nodes in said 
data network. 

1 1 . The method as defined in claim 5, wherein a) through d) are repeated, and 
wherein said user node is selected from one of a plurality of user nodes in said 
data network. 
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12. The method as defined in claim 5, wherein said agent is a Simple Network 
Management Protocol agent. 

13. A computer-readable medium for identifying unauthorized access to a data 
network service, provided at a service node in a data network, by a user node in 
said data network, said service node having an agent and having means for 
maintaining a user access list, said user access list having at least one data 
network address corresponding to at least one user node in said data network, 
and said medium having stored thereon, computer-readable and computer- 
executable instructions which, when executed by a processor, cause said 
processor to perform steps comprising: 

a) periodically polling an agent and retrieving said user access list, for 
a given period of time, from said service node in a data network; 

b) comparing said user access list to an authorized access list; 

c) determining if an access to said data network service was 
authorized based on said comparison step b); 

d) if determined that said access was unauthorized, initiating a 
notification process. 

14. The computer-readable medium as defined in claim 13, further containing 
computer-readable and computer-executable instructions which perform a step of 
updating said authorized access list based on user access information. 
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15. The computer-readable medium as defined in claim 13, further containing 
computer-readable and computer-executable instructions which perform a step of 
installing said agent at said user node, prior to retrieving said user access list in 
step a). 

16. The computer-readable medium as defined in claim 13, further containing 
computer-readable and computer-executable instructions wherein said steps 
a) through c) are repeated, and wherein said user node is selected from one of a 
plurality of user nodes in said data network. 

17. The computer-readable medium as defined in claim 13, wherein said 
agent is a Simple Network Management Protocol agent. 

18. A computer for use in a data network for identifying unauthorized access to 
a data network service, provided at a service node in a data network, by a user 
node in said data network, said service node having an agent and having means 
for maintaining a user access list, said user access list having at least one data 
network address corresponding to at least one user node in said data network; 
said computer comprising: 

means for storing an authorized access list for said service node, said 
authorized access list specifying which users are authorized to access said 
service node; 

a central processing unit; 
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data communication means for periodically polling said agent at said 
service node and retrieving a user access list from said agent, said user access 
list specifying which users have accessed said service node; and 

data processing means for comparing said retrieved user access list to 
said authorized access list and for updating said authorized access list based on 
the user access list retrieved from said agent. 

19, The data network as defined in claim 1 , wherein said authorized access list 
is a common authorized user access list that includes a range of user nodes for 
comparing to said user access list to determine if said user access list is a subset 
of said common authorization access list. 

20. The data network management system of claim 1 wherein said user 
access list identifies a plurality of accesses to said service node. 
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IX. EVIDENCE APPENDIX 

None. 
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X. RELATED PROCEEDINGS APPENDIX 

None. 
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